Equifax and the Perils of Password Protection

Biometric authentication is being billed as a better, safer alternative to passwords and pass codesTorin—Shutterstock / Torin55

In the U.S., it's almost comically easy to hack someone's life. All you need are a few numbers to access most smartphones, a string of characters to access most email accounts and a handful of biographical details to steal most identities.

Related

And so when news broke Sept. 7 that Equifax, one of America's largest credit-rating agencies, had been compromised, exposing data from as many as 143 million accounts, people were rightfully concerned. The hack wasn't as large as other high-profile incidents, like the ones at Yahoo and MySpace, which jeopardized an estimated 500 million and 360 million user accounts, respectively. But it's a likely gold mine for identity thieves, especially considering the type of information that was exposed--not just names and addresses, but also Social Security, credit card and driver's license numbers. That's more than enough to open a credit card in someone's name, take out a loan, and more. (Equifax, which is now facing more than 30 new lawsuits in the U.S., did not respond to multiple requests for comment.)

There are ways to prevent these calamities. One way, of course, is for companies to do a better job securing users' information so it doesn't get hacked in the first place. But the bigger issue, say industry experts, is that the information we use to establish and verify our identities--passwords, pass codes, biographical details--is simply too easy to steal. And solving that problem requires overhauling the way we think about proving who we are, both online and in real life.

Enter biometric authentication, or using a person's physical traits--such as a fingerprint, a face or an iris--to double-check his or her identity. In recent years, this method has popped up on a variety of platforms, including smartphones (you can "unlock" the newest iPhones and Samsung Galaxies using your face); mobile-banking apps (Citibank and Bank of America both allow you to log in to your account using a fingerprint); and even airport-security checkpoints (the TSA is testing fingerprint scanners at two U.S. airports). The main selling point: it's a lot harder for people to steal your identity if they have to physically re-create it. "Anyone can look at you and see how tall you are," says Jim Sullivan, a senior executive at the biometric firm BIO-key. "But they can't look at you and be that tall just by knowing that information."

That said, hackers have always found ways to circumvent new security standards, and biometrics are no exception. Researchers have demonstrated that it's possible to digitally compose a fake fingerprint. And a recent test of the Galaxy Note 8's iris scanner indicated the sensor could be fooled by holding a photo up to the phone's front-facing camera. But there are ways to fight back--such as augmenting the fingerprint sensors to test for "liveliness," like blood flow. And even with its risks, biometrics are still far more secure than passwords and pass codes.

Yet it will be tough for biometric verification to make the jump from technology premium to government standard, especially in America. In order to create any kind of biometric-backed ID system, the government would have to collect and store biometric data on every U.S. citizen--a process that's costly and complicated, and would face major regulatory issues. And even if it succeeds, it could have unforeseen consequences. Consider India's Aadhaar program, which has now enrolled more than 90% of the country's population into a biometric database. Although the system has dramatically cut down on fraud, critics argue it may prevent some citizens from accessing government benefits. "We are building a system that will decide whether a child will eat or not ... based on [the] quality of Internet connectivity and cleanliness of the child's thumbprint," Sumandro Chattapadhyay, research director at India's Center for Internet and Society, told the Guardian earlier this year.

In the U.S. the biggest hurdle may be complacency: we've all gotten comfortable with text- and number-based identity verification. And when there are large breaches, like the one at Equifax, the hijacked data is often sold to other hackers for later use--meaning the consequences aren't always felt right away. "The system is broken," says Avivah Litan, a security analyst at Garter. "But the pains just aren't great enough yet."